Cliff L. Biffle
Cliff is a software generalist at Oxide Computer Company working on server system software. He's spent the most recent 12 years of his career neck-deep in low-level applications from processor sandboxing on Native Client, to stratospheric avionics firmware at Loon, to machine learning ASIC design at Google. He has a passion for equipping programmers with better tools that let them build more complex things, faster, with fewer defects, which caused him to get really excited about Rust around 2015. He is the author of "Learn Rust the Dangerous Way," a tutorial aimed at C systems programmers like him.
When not exchanging services for currency, he enjoys building absurdist electronic art and upending fashion norms.
United States (UTC -07:00)Employer –
Oxide Computer CompanyGithub – Homepage –
On Hubris and Humility: when "write your own OS" isn't the worst idea
Hubris is a small open-source operating system for deeply-embedded computer
systems, such as our server's replacement for the Baseboard Management
Controller. Because our BMC replacement uses a lower-complexity microcontroller
with region-based memory protection instead of virtual memory, our options were
limited. We were unable to find an off-the-shelf option that met our
requirements around safety, security, and correctness, so we wrote one.
Hubris provides preemptive multitasking, memory isolation between
separately-compiled components, the ability to isolate crashing drivers and
restart them without affecting the rest of the system, and flexible
inter-component messaging that eliminates the need for most syscalls -- in about
2000 lines of Rust. The Hubris debugger, Humility, allows us to walk up to a
running system and inspect the interaction of all tasks, or capture a dump for
However, Hubris may be more interesting for what it doesn't have. There are no
operations for creating or destroying tasks at runtime, no dynamic resource
allocation, no driver code running in privileged mode, and no C code in the
system. This removes, by construction, a lot of the attack surface normally
present in similar systems.
This talk will provide an overview of Hubris's design, the structure of a Hubris
application, and some highlights of things we learned along the way.